Contain a leaked key

Contain a leaked key

1. Write a detection rule

Investigate ▸ SIEM ▸ Detection rules — match blocked-secret guardrail events, grouped by key, with a threshold:

  • Match: category = guardrail.triggered AND action = BLOCK AND matched category SECRET
  • Group by: the offending key
  • Threshold: count ≥ 5 within 10 minutes

This catches a leaked key (or a compromised application) repeatedly trying to exfiltrate secrets, without alerting on a single stray match. The match expression uses the same grammar everywhere:

JSON
{
  "all": [
    { "field": "category", "equals": "guardrail.triggered" },
    { "field": "attributes.action", "equals": "BLOCK" },
    { "field": "attributes.category", "equals": "SECRET" }
  ]
}

2. Route the alert

Govern ▸ Notifications ▸ Routing — send siem.detection events to an email or HMAC-signed webhook channel (your pager, a Slack-compatible webhook, or the in-app bell).

3. Add the SOAR rule

Investigate ▸ SOAR ▸ Rules — same match, harder trigger, reversible action:

  • Group by: the offending key · Threshold: ≥ 10 in 5 minutes · Cooldown: 30 minutes
  • Action: quarantine — the key goes into the reversible SUSPENDED state and a SecurityActionTaken event is recorded.

4. Review the containment

SOAR ▸ Actions (platform admin): when the rule fires, mark the action CONFIRMED — or un-suspend the key if it was a false positive. Permanent revocation stays a manual act, so automation can never irrecoverably cut off a tenant.

Verify

Drive blocked-secret calls from one key — the Guardrails ▸ Test tab plus the Playground make this easy — and watch, in order: the detection fire in SIEM, the alert arrive on your channel, the key flip to SUSPENDED, and the action appear in the review feed. Un-suspend the key when done.

Why it works

SOAR consumes the same normalized event stream as everything else and takes reversible actions with a cooldown, so a burst of noise cannot cascade into permanent damage. The detection rule (alert at 5) firing before the SOAR rule (contain at 10) gives a human a head start on the automation.

Next

  • SIEM, UEBA & SOAR — the full security-operations model, including UEBA baselines.